DMARC Implementation Lags as Email Fraud Surges

As spam dominates email traffic, most domain owners still have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a standard that ensures only authorized senders can use an organization’s domain name in their emails.

ValiMail’s 2017 Email Fraud Landscape Report shows that email fraud is a pervasive threat: One in five messages sent today come from unauthorized senders, many representing fraudulent activity. Yet, virtually all domains lack adequate protection. Just 0.5% of the top million domains have protected themselves from impersonation by email authentication, leaving 99.5% vulnerable, the report found.

Over three-fourths (76%) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist. However, incorrect DMARC deployments often prevent email protection. Over three-fourths (77%) of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy. Overall, only 15% to 25% of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” said Alexander García-Tobar, CEO and co-founder of ValiMail. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”